There are so many wrong things going on here...let's just hit the highlights with the top two "most dangerous things to do when logging in users" list:
1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. And concatenating strings at login not only hands your DB to everyone, it lest them bypass your security completely and login in as you or any other user without even knowing your password...
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here:
Password Storage: How to do it.[
^]